Malware Analysis Report

2025-01-03 07:36

Sample ID 230816-ermddsha81
Target ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4
SHA256 ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4
Tags
asyncrat stormkitty default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4

Threat Level: Known bad

The file ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4 was found to be: Known bad.

Malicious Activity Summary

asyncrat stormkitty default rat spyware stealer

StormKitty payload

AsyncRat

StormKitty

Async RAT payload

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Looks up geolocation information via web service

Looks up external IP address via web service

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-16 04:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-16 04:10

Reported

2023-08-16 04:13

Platform

win10v2004-20230703-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 1820 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 644 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2156 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2156 wrote to memory of 2232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2156 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2156 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2156 wrote to memory of 2516 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2156 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2156 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2156 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 644 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 644 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 3672 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3672 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3672 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3672 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3672 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3672 wrote to memory of 4460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jNrzOzeOpwekIz.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jNrzOzeOpwekIz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8CCA.tmp"

C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.18.115.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 97.115.18.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:6606 tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 9.73.50.20.in-addr.arpa udp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/1820-133-0x0000000000FD0000-0x00000000010C6000-memory.dmp

memory/1820-134-0x0000000074980000-0x0000000075130000-memory.dmp

memory/1820-135-0x0000000006080000-0x0000000006624000-memory.dmp

memory/1820-136-0x0000000005AD0000-0x0000000005B62000-memory.dmp

memory/1820-137-0x0000000005C40000-0x0000000005C50000-memory.dmp

memory/1820-138-0x0000000005B70000-0x0000000005B7A000-memory.dmp

memory/1820-139-0x0000000074980000-0x0000000075130000-memory.dmp

memory/1820-140-0x0000000005C40000-0x0000000005C50000-memory.dmp

memory/1820-141-0x0000000007680000-0x000000000771C000-memory.dmp

memory/4016-146-0x0000000004870000-0x00000000048A6000-memory.dmp

memory/4016-147-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4016-148-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/4016-149-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/4328-150-0x0000000074980000-0x0000000075130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8CCA.tmp

MD5 9a46c04218a584bb349ccf6ea781b257
SHA1 7695527aa807564184d73b03c1d53f8a10fc869a
SHA256 3127d6633054d083190b13e4f066aed7a94c9863989cfd375490e41d5dd66b25
SHA512 18fe9c4852c4fbfd12fffe53e9f8a5b09e23537cec1c0082ce1c43a5c23da7a55011746d9d30f26c809993e5c11eea5651e199ba4ccaf1393ae831914485fbc4

memory/4328-151-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/4328-153-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/4328-154-0x0000000004D70000-0x0000000004D92000-memory.dmp

memory/4016-155-0x0000000005730000-0x0000000005796000-memory.dmp

memory/4328-156-0x00000000057E0000-0x0000000005846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djg34y4f.a5r.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/644-172-0x0000000000400000-0x0000000000432000-memory.dmp

memory/644-178-0x0000000074980000-0x0000000075130000-memory.dmp

memory/644-179-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/1820-177-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4328-180-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/4328-181-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/4016-182-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/4016-183-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4328-184-0x000000007F220000-0x000000007F230000-memory.dmp

memory/4016-187-0x000000007F680000-0x000000007F690000-memory.dmp

memory/4016-188-0x0000000075230000-0x000000007527C000-memory.dmp

memory/4328-186-0x0000000075230000-0x000000007527C000-memory.dmp

memory/4016-185-0x0000000006440000-0x0000000006472000-memory.dmp

memory/4016-207-0x0000000006420000-0x000000000643E000-memory.dmp

memory/4016-209-0x0000000007190000-0x00000000071AA000-memory.dmp

memory/4328-208-0x0000000007820000-0x0000000007E9A000-memory.dmp

memory/4328-210-0x00000000071E0000-0x00000000071EA000-memory.dmp

memory/4016-211-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/4016-212-0x0000000007410000-0x00000000074A6000-memory.dmp

memory/4328-213-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4328-214-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/4328-215-0x00000000073C0000-0x00000000073CE000-memory.dmp

memory/4328-216-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/4016-217-0x00000000074D0000-0x00000000074D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d01850c44d36930a345294f60ee3127c
SHA1 0eb6ca768e424f950b6eb0a54932e72f6649c96a
SHA256 3edfa21b2e1b268a534f71a751f5170ca271966aff8cbb980ee80f4ffe8ab425
SHA512 21cf0bf18c4a8779ab313208314e7850c5147bc99c4fd98ebcca34be4415d6de7a91ad5b260041d5793bd0020b895432d67caeaaa5649dc79adb086deee36c9f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4016-223-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4328-224-0x0000000074980000-0x0000000075130000-memory.dmp

memory/644-225-0x0000000074980000-0x0000000075130000-memory.dmp

memory/644-226-0x0000000004C70000-0x0000000004C80000-memory.dmp

C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\f85e2b7c51973f393c7f1685fb8f76cf\Admin@MSXGLQPS_en-US\System\Process.txt

MD5 72254382d1fe2bda90eaa1a493a58393
SHA1 3c075b6d45addb6a0f8fede6d2e0bfd918b7534a
SHA256 95a21905de1661e665d2c49073edb27fd1c7e47a9aea91bd82fc9194552891e2
SHA512 fc5bb8fb01ff0eacd8109d2cf8e86e2865ecad83bc02c45cd96fbc70d488f0d1396795c6f45b2e27f8a41a060d1142b600f658854ac41505939c1ead3058375c

memory/644-370-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/644-375-0x0000000005350000-0x000000000535A000-memory.dmp

C:\Users\Admin\AppData\Local\78a681b7645586e0ea371e717c08fac3\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/644-381-0x0000000004C70000-0x0000000004C80000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-16 04:10

Reported

2023-08-16 04:13

Platform

win7-20230712-en

Max time kernel

148s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File created C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2204 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2204 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 920 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\schtasks.exe
PID 2204 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2204 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe
PID 2744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 1036 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 972 wrote to memory of 2804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 972 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 972 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 972 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 972 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2744 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe C:\Windows\SysWOW64\cmd.exe
PID 1520 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1520 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1520 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1520 wrote to memory of 1688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1520 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1520 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1520 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1520 wrote to memory of 1656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jNrzOzeOpwekIz.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jNrzOzeOpwekIz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63E1.tmp"

C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe

"C:\Users\Admin\AppData\Local\Temp\ff5974901076d59d6500da14a4d1eb8c21e6e06c7edf307c300333f0a42467b4.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 icanhazip.com udp
US 104.18.114.97:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/2204-53-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2204-54-0x00000000001A0000-0x0000000000296000-memory.dmp

memory/2204-55-0x0000000004DE0000-0x0000000004E20000-memory.dmp

memory/2204-56-0x0000000000430000-0x0000000000444000-memory.dmp

memory/2204-57-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2204-58-0x0000000004DE0000-0x0000000004E20000-memory.dmp

memory/2204-59-0x0000000000440000-0x000000000044C000-memory.dmp

memory/2204-60-0x0000000005530000-0x00000000055D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp63E1.tmp

MD5 a6bfb083a723aee8e9af7f8b4cbbc46f
SHA1 7409011345d4654ca1f92d6d1b8ac13ae4c40549
SHA256 72b37323f11ece4cb528d6f69abe207438e11ebdd94c2df31353d3834a3dda2b
SHA512 1bb613c3fea243d162dc3bbf5cf0e7a737637ce6750f9b88d5546104fd9d39778dc150db6710342977290280df877b180ddb4dfc6b183fcf46dfdde24d60503d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DCIPHSFSL59VYKLT0CJ2.temp

MD5 bcbffbc8dbead8b1771d946787209da4
SHA1 ffd1ec1d9ee909e230717cd02b232e32a59287ad
SHA256 29549393b90ac7363c68298bf6e7436605d6e757ca6c42cc9cfdca6b076ee8a7
SHA512 192f6fca1d79c227b4c93a1e269a229dda7f0229fa731328e3aa9c37bba0d4f8665da924b4a0446788dba1f653af642cd12d998287fa3d9e58be7b74656fc2ba

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 bcbffbc8dbead8b1771d946787209da4
SHA1 ffd1ec1d9ee909e230717cd02b232e32a59287ad
SHA256 29549393b90ac7363c68298bf6e7436605d6e757ca6c42cc9cfdca6b076ee8a7
SHA512 192f6fca1d79c227b4c93a1e269a229dda7f0229fa731328e3aa9c37bba0d4f8665da924b4a0446788dba1f653af642cd12d998287fa3d9e58be7b74656fc2ba

memory/2204-73-0x00000000053D0000-0x0000000005418000-memory.dmp

memory/2232-74-0x000000006EF70000-0x000000006F51B000-memory.dmp

memory/2232-76-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2744-79-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2232-82-0x000000006EF70000-0x000000006F51B000-memory.dmp

memory/2084-83-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2744-84-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2744-80-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2744-77-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2744-86-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2084-75-0x000000006EF70000-0x000000006F51B000-memory.dmp

memory/2744-88-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2744-90-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2204-91-0x0000000074A30000-0x000000007511E000-memory.dmp

memory/2232-92-0x0000000002680000-0x00000000026C0000-memory.dmp

memory/2744-95-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2084-94-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2084-96-0x00000000024E0000-0x0000000002520000-memory.dmp

memory/2744-97-0x0000000073940000-0x000000007402E000-memory.dmp

memory/2744-98-0x0000000004480000-0x00000000044C0000-memory.dmp

memory/2084-99-0x000000006EF70000-0x000000006F51B000-memory.dmp

memory/2232-100-0x000000006EF70000-0x000000006F51B000-memory.dmp

C:\Users\Admin\AppData\Local\3bb95d3bf486e9f73690eb9f07e05c75\Admin@NYBYVYTJ_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/2744-141-0x0000000073940000-0x000000007402E000-memory.dmp

memory/2744-169-0x0000000004480000-0x00000000044C0000-memory.dmp

memory/2744-170-0x0000000004480000-0x00000000044C0000-memory.dmp

memory/2744-174-0x0000000004480000-0x00000000044C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC72F.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\TarC84B.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2efc55d0023e07b4cd248cae0f2fb01
SHA1 c5b48dadfafe0154d253ac62f23a1c060459be7e
SHA256 9d98b01d9812e111a5b4aa2a7ea64848457a330a683cf01bf6dbbb5dfc41c658
SHA512 0c190fdcf0e723063d6c8bb3280b67fac5f38b7a950c12d9ea43a97d1b915b1ada9fa0420dc330ab1e1dd37f501716414cc42bd37dc9a38d801f24600b960f30

C:\Users\Admin\AppData\Local\6a705ff963b832d927acbcde07d8ffcc\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99